Perth Mint hit by data breach involving third-party provider

  • Thread starter Thread starter PM
  • Start date Start date
13 customers is not a lot, but I'm curious about who the "third-party provider" would be, maybe one of those online AML checking services, given the info stolen.
 
Here’s the email that went out to investors

Dear Customer,


We are writing to let you know that The Perth Mint has experienced a data breach involving the personal information of 13 Depository Online customers.


At the outset we want to assure you that your Depository Online investment account at The Perth Mint remains secure and has not been affected in any way.


Our forensic investigation to date indicates that the breach occurred as a result of data being taken from information held by a third-party provider.



We are in the process of contacting the 13 clients whose data has been breached and offering them assistance to help prevent their personal information from being misused.


Our investigation is ongoing, and we are working with the external third-party provider to understand how this breach occurred.



We have taken immediate steps to nullify the identified threat and can assure your account and our systems remain secure.



Further information in relation to our response to the data breach is available on our websitewww.perthmint.com/data



If you would like to contact us in relation to this matter please emailour depository team at
 
I got the email too. Seems odd that it's only 13 people, and who is the third party and why did they have access to customers data?
 
We know from their annual report they have 35,000 depository customers, so 13 is really small although the article says "Depository Online investors represented only a small group of the Perth Mint's customer base" so it is 13 out of some "small" proportion of 35,000.
 
More people hit, including myself it seems:

Dear Customer,

We are writing to you further to our original communication dated 8th September 2018 when we let you know there had been a data breach involving the personal information of a number of The Perth Mint Depository Online customers.

At the outset, we want to again reassure you that your Depository Online investment account at The Perth Mint remains secure and has not been affected in any way.

Our forensic investigation has now confirmed that your personal information was also compromised by the breach that occurred in systems belonging to a third-party technology provider.

As a result, the personal information that was stored in relation to your account has been accessed by an unauthorised person. This information includes the numbers of your bank account, your passport and/or driver’s license. However, no scanned copies of any documents you have provided have been accessed illegally.

As a precaution, we recommend that you contact your bank and advise them of this data breach so they can advise you of any steps that should be taken. If you have concerns over the use of your driver’s license and/ or passport numbers, we recommend that you contact the relevant authority to also seek their advice.

The information illegally accessed was taken from an old 2016 database, so if you have updated your personal information after this date your updated information remains secure.

We sincerely regret any concerns caused by this incident. We again reassure you that your investments are unaffected and remain safe and guaranteed by the Western Australian Government.

Further information in relation to our response to the data breach is available on our website www.perthmint.com/data

If you have any enquiries in relation to this matter, please contact our depository team at [email protected] or call on +61 8 9421 7250.

Thank you.
Click to expand...

Nothing important, just your bank account, passport and drivers license number, and presumably you name as well :rolleyes:
 
Last edited:
+ address, DOB, enough for identify theft? That wording is very vague, "from an old 2016 database" means everyone who had an account in 2016 has been breached. I note that the email does not give a number of customers affected anymore, probably because it is a big number.
 
Looks like they got all the personal data of 3200 customers.

https://www.perthmint.com/mr-tpm-confirms-more-customers-in-data-breach.aspx

Monday 17 September 2018

MEDIA RELEASE

PERTH MINT CONFIRMS MORE CUSTOMERS INVOLVED IN DATA BREACH


The Perth Mint has learned that the data breach reported last week actually involved the taking of personal details belonging to approximately 3,200 Depository Online customers, Chief Executive Officer Richard Hayes announced today.

"As previously advised, ongoing forensic investigations continue and we were made aware of this development over the weekend. We have moved quickly to contact the affected Depository Online customers in order to protect their interests," he said.

"While we are extremely disappointed, we have again assured our customers that their investments are unaffected and remain safe and secure.

"Our dedicated customer support team has been working extended hours to provide our customers with advice and to answer any inquiries they may have."

Mr Hayes confirmed the data breach occurred on the system of a third-party technology provider. However, he again assured customers that there is no evidence to suggest The Perth Mint’s own internal systems have been compromised in any way.

"We launched a forensic investigation when the data breach was identified and we have worked closely with our third-party provider and a range of cyber-crime experts during the ongoing inquiry," he said.

"We are continuing to work with the third-party provider to understand how this breach has occurred and we will continue to work with the authorities, including the Australian Federal Police.

"I can assure our customers there is no threat to any account holdings at The Perth Mint and none of our data systems have been breached.

"We sincerely regret any concern caused by this incident and will do everything we can to support and assist our customers."

Mr Hayes said Depository Online investors represented only a small subset of The Perth Mint's customer base. He said he was confident that no data belonging to any other investors or customers had been accessed.

Since identifying the breach, The Perth Mint has:

  • Launched a forensic investigation with cyber-crime experts
  • Notified all affected customers via email
  • Set up a dedicated phone line to deal with customer enquiries
  • Notified the Office of the Australian Information Commissioner
  • Notified the Western Australian Police and the Australian Federal Police
Information for customers is available on The Perth Mint website www.perthmint.com/data or by calling the Depository Online call centre on +61 8 9421 7250.
Click to expand...
 
its really bad, if my address and another detail is exposed...
this could mean, some one can kidnap my kitty cat and ask me to empty my safe
you can not protect the property from its owner
 
10% of the depository customer base is does not "represented only a small subset of The Perth Mint's customer base". They say "no threat to any account holdings" but then in the email that "we recommend that you contact your bank ... If you have concerns over the use of your driver’s license and/ or passport numbers, we recommend that you contact the relevant authority to also seek their advice".

I wonder what the going price is for a list of 3200 addresses of people with potentially physical gold at home?
 
Oh my. 3,200 is a slightly bigger deal than 13.

"We apologise for the fault in the subtitles. Those responsible have been sacked."
 
Got the letter a few hours back..
Replied to PM and
Wrote to my bank..
I can change my bank account details but not my Identity
Should I be concerned about my passport.. ?
 
Very strange, what service aren’t I getting that excluded me from this data breach.

In all seriousness, It would be nice to know what partcular service was affected, for people who might no longer use Perth Mint.

Especially since, clients DOB definitely wouldn’t have changed and potentially passport, driver licence, bank and address haven’t changed either.
 
From Perth Mint;
"In relation to the what ID information was accessed, only the Passport number and Expiry date were accessed, no other ID document’s details were accessed during the breach."
 
You must log in or register to reply here.
Back
Top